Photo by Dimitri Finker

Former U.S. Secretary of Homeland Security Michael Chertoff delivered a keynote address at a private consultation on cybersecurity preceding EWI’s seventh annual Worldwide Security Conference in Brussels. The consultation was one of several special sessions on some of the world’s most pressing security concerns. Other sessions focused on climate security and alternative futures for Afghanistan and Southwest Asia.

Below, the full text of Chertoff’s keynote address:

Keynote to EastWest Institute

Good afternoon.

First I would like to take this opportunity to thank John Mroz and the very professional staff and colleagues involved with the EastWest Institute for inviting me to speak to you today.  I am honored to introduce this afternoon’s distinguished international panel discussions which seek to cover some of the world’s most vital issues and challenges surrounding cyber security and cyber space. 

Second I would like to apologize for being unable to attend this morning’s sessions – I just arrived in Brussels only a couple of hours ago from Washington – but I understand there were some very interesting discussions and points made relative to advancing international collaboration in cyber defenses. 

Apropos of this morning’s agenda however, the reason I couldn’t fly in yesterday was because I was playing the role of the U.S. National Security Advisor during a simulated Cyber Attack against elements of the nation’s critical infrastructure.  The event aptly named “Cyber Shockwave” was hosted by the Bipartisan Policy Council and funded by private sector sponsors.  The objective was to invite recent former U.S. leaders within the national security community to come together and play the roles of the members of the President’s cabinet who would be convened during a national cyber security crisis to determine how the organizations they notionally represent would respond.    

The event was very successful and received strong media coverage.  While the feedback and learnings are still being collected and collated into an after action report, I would offer a few key initial take-aways from my perspective:

1.  First, in the U.S. there are not well-defined responsibilities for maintaining common situational awareness of emerging critical operational developments in cyber space.

2.  Additionally, in a cyber crisis, my nation lacks an effective decision-making framework below the cabinet level for coordinating the government's response and recovery from a devastating cyber event.

3.  Finally, there is not in place a user friendly process to facilitate elements of the public sector engaged in our nation’s defense against cyber attacks to effectively collaborate with elements of the private sector to leverage their expertise and knowledge and bring them to bear during the response to a cyber attack.

In order to build more effective capabilities to prevent, detect, respond to, and mitigate against cyber attacks it is imperative that key stakeholders in the public and private sectors continually search for meaningful ways to work together in order to draw on each other’s strengths.  Far too little has been done in this area and too many opportunities have gone unexploited.

For example, a large U.S. software company told us that it encourages its users to report instances of malware or errors by giving them an opportunity to send a message back to the company when something goes wrong on their system – the process is simple for the user and non-intrusive – and so they do it.  Think about the potential usefulness of a database like this for elements of the public sector engaged in developing cyber defenses that could provide meaningful statistics on the types and frequencies of malware intrusions.  But that is not happening.  And it is not happening because there is not an effective and credible framework in place to facilitate private and public sector collaboration in this area that would be able to exploit an opportunity like that.

One of the aims of EWI’s nascent Worldwide Cyber Security Initiative is to advocate for and mobilize cyber security stakeholders and expert groups.  A worthwhile achievement here would be to really work hard together to continue to identify and build relationships among those stakeholders and expert groups.  And bring them together in forums such as this one to hold discussions with the objective of identifying, and then advocating for opportunities like the one I mentioned earlier. And clearly, as I look out into this audience and at today’s agenda, EWI has shown a strong commitment and willingness to begin that dialogue in earnest.

As mentioned, in order to set up such a dialogue the right problems, challenges and opportunities must be identified first so that an effective framework for discussion may be best informed.  I look at this afternoon’s upcoming panels on Legal Cooperation, Agreements, Standards, Policy and Regulations, and Co-existing in Cyberspace, and I am encouraged that EWI has put the foundation for such a framework together.  I am looking forward to listening to and actively participating in these discussions as well as eagerly anticipating our collective conclusions from today’s sessions and developing actionable next steps for the coming year.

The timing could not be more critical.  Right now, the U.S. government is in the middle of a significant debate - how important is cyber security amongst the many security matters competing for attention.  My compliments to the EastWest Institute for providing a venue, and such an apt theme, “International Pathways to Cybersecurity”, for global leaders and thinkers to discuss this increasingly important issue.

A cornerstone of our 21st century economy is the ability to employ computers to transact business and operate our infrastructure.  We often take for granted how much of our daily lives depend upon the efficient operations of our computers and their ability to communicate across vast and varied networks.  Not just mobile phones, e-mail, and online shopping, but also electricity, transportation, healthcare, and the businesses that manage our daily living such as grocery stores and trash pickup.  Each relies on the network.  Our dependence on cyberspace means that the underlying infrastructure and networks must be reliable and resilient – in other words, secure from failure, compromise, data manipulation, and theft.

In July 2009, for example, South Korea was hit by a wave of cyber-attacks aimed at paralyzing the country’s largest banks, major news agencies, and government systems including the Korean Ministry of Defense.  The disruption prevented people from carrying out transactions, purchasing items, and conducting normal business.  Since these attacks involved distributed denial of service techniques, it was very difficult to identify the real culprit.

Stories of cyber attacks, internet-based espionage, and denial of service attacks such as this one have been a regular feature in the news.  They are often characterized as, and appear to be, criminal schemes aimed at either stealing valuable personal data or extorting money from victims.  But to those who have followed the issue of cyber security, these crises are merely the prelude to an increasing threat. 

Alarmingly, at the same time that the threat of cyber attack is increasing, users of technologies that are vulnerable do not seem to have developed a level of awareness that is remotely commensurate with the threat.  Many users don’t understand how exposed they are to technologies that may be vulnerable to attack.   For example, 87% of Americans recently surveyed through a joint effort by Burson Marsteller and my firm believe they’ve never used a cloud computing service, while at the same time 65% of the same population surveyed admits to regularly using web-based e-mail. Most users don’t have a good appreciation for how susceptible cloud-based services are to attack, and consequently they don’t take even the most fundamental steps to safeguard their systems and protect their data.

Cybersecurity issues, however, transcend the protection of personal data or networks from organized crime or even terrorism.  In fact, cyberwarfare is a major national security issue; protecting the security and freedom of our networks is as critical as protecting freedom of the seas and outer space.

Previous examples underscore three distinct features of cyber conflict that should be noted as we begin our discussions this afternoon.  First, it is difficult to establish evidence that proves beyond a reasonable doubt that a particular entity staged an attack – the issue of “attribution.”  Not only is it difficult to identify and prove whether the attacker is sanctioned by a foreign government, it is also hard to distinguish between active direction by foreign officials and mere tolerance or lax enforcement.   Consequently, accountability for cyber attacks is extremely difficult to determine.

Second, even if there were an ability to demonstrate a specific entity's or a foreign government's complicity in an attack, what are the options for response?  The United States has long declared that a physical attack on us is an act of war that will be met with retaliation.  How should that same principle be contemplated in the context of internet attacks in cyberspace?  Should our cyber policies hold a hosting state responsible for attacks launched by its agents, sanctioned or not?  Is our response to a cyber attack limited to the cyber world or are physical responses on the table?  In my country, I have advocated that these decisions need to be debated and translated into a national declaratory policy to govern future U.S. cyber response actions.

Third, everyone is a combatant in the world of cyberwarfare.  Civilians are on the front lines because our personal communications and network systems are the conduits for Internet warfare.  This means that the responsibility for cybersecurity must not only be a joint effort primarily involving our governments' national security and homeland security elements and private enterprise, but it must also be an individual responsibility to practice safe computing.  This public private partnership was the cornerstone of a Comprehensive National Cybersecurity Initiative (CNCI) that my Department helped to launch under President Bush, and which has been carried forward under the current Administration.

Recent cyber attacks underscore the importance of continuing to press for increased security over the Internet with the same urgency that we are applying to securing our aviation systems and our seaways.  That means four things:

First, in the U.S., we must fully fund and complete the implementation of our Cybersecurity Initiative, which places responsibility for network defense not only on the government, but also on operators of critical cyber infrastructure in the private domain.

Second, to be responsible Internet citizens, we must each commit to employ well-documented security techniques, e.g., for creating and renewing passwords, and for protecting our individual computing resources. 

Third, sovereign manufacturers of computer hardware and software must take a close look at the components and code that are imported from outside their national borders from foreign entities, to determine potential security implications for systems when bundled into domestic cyber systems.

Finally, we must formulate an international strategy and response to cyber attacks that parallels the traditional laws governing the land, sea, and air. As we become increasingly interconnected and interdependent, we cannot postpone the debate until we are in the midst of a catastrophic cyber attack.  The U.S. Director of National Intelligence, Dennis Blair recently said in his testimony before Congress, “We cannot protect cyberspace without a coordinated and collaborative effort that incorporates both the US private sector and our international partners.”

This last element is in many ways the most important because the identification and development of an international approach to governing elements of cyberspace will foster increased collaboration and transparency amongst foreign sovereign governments.

I very much support the aims of EWI’s International Cybersecurity Initiative for the very reason that it will help to move that debate forward and hopefully build international trust among the leaders of sovereign governments.  To that end I am looking forward to this afternoon’s workshops and to meeting as many of you as I am able.

Thank you very much again for having me here to address you today.